Solved

added new DC and transferred FSMO roles

Posted on 2014-09-15
9
135 Views
Last Modified: 2014-10-07
I recently added a new DC.  Once added and verified that DNS replicated I transferred the FSMO roles.  I did this so I could migrate the old DC to new hardware.  I'm getting the below error.

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          9/14/2014 3:57:10 AM
Event ID:      2092
Task Category: Replication
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      myDCname.domain.local
Description:

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: CN=Schema,CN=Configuration,DC=mydomain,DC=local
0
Comment
Question by:gopher_49
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Follow the instructions here to SEIZE the schema role and then run a netdom query to validate:
netdom query FSMO
http://www.petri.com/seizing_fsmo_roles.htm

Once you have the roles moved and you validate AD replication is as expected, I suggest you demote the old DC and do a metadata cleanup.
0
 
LVL 16

Expert Comment

by:Emmanuel Adebayo
Comment Utility
How did you transfer the roles? Did you size the role after transfer?

At the command prompt on the server enter
netdom query FSMO
This will list the FSMO roles on the server, size the the missing role(s) by using "Ntdsutil"

Also, check this MS KB http://support.microsoft.com/kb/2102154

Regards
0
 

Author Comment

by:gopher_49
Comment Utility
I want to keep the old DC.  I just needed to migrate the VM to different hardware and it was my only DC.  So.  I added a new DC and then transferred the roles.  I then powered off the old DC and migrated that VM and powered it back on.

When running the fsmo query it shows my new dc to have the roles.  I did not seize  the schema role prior to running the command.
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
When running the fsmo query it shows my new dc to have the roles.

which one did you run that on?  run on both and see if the results on both are accurate
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:gopher_49
Comment Utility
Okay.  Ill run it on both and will report back shortly.
0
 

Author Comment

by:gopher_49
Comment Utility
I ran the command on both DC's and the results where the same.  It was successful and shows the new DC to be the role holder for all roles.  The error posted at the top of the post was from a few days ago.  Nothing has changed except for online defrags finishing successfully.
0
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 500 total points
Comment Utility
if that error hasn't appeared since, i would say it was a transient error from when the fsmo roles were transferred and you won't be seeing it again since there have been no other messages and dcdiag is good on both systems since

often times when roles change, services are restarted, etc. transient messages like that will appear once in the beginning then go away
0
 

Author Comment

by:gopher_49
Comment Utility
okay..  I'll watch the event logs over the next few days to assure it's okay and will update everyone.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
This has been seen in some instances where replication had not caught up. It might have just been the case here, since it has nit repeated since.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now